CVE-2019-20500

CVE Database · CVE-2019-20500

CVE-2019-20500

· HIGHAnalyzed

CVSS v3.1

7.8

EPSS

95.80%

Published

Mar 5, 2020

Modified

Nov 7, 2025

CISA Known Exploited Vulnerability

Added: 2023-06-29 · Due: 2023-07-20

Apply updates per vendor instructions or discontinue use of the product if updates are unavailable.

Public PoC / Exploit (2)

All weaponized →

Exploit-DBD-Link DWL-2600AP - Multiple OS Command Injection TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Save Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?action=config_save configBackup or downloadServerip parameter.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-78CWE-78

Affected Products (2)

dlink · dwl-2600ap_firmwarevulnerable

dlink · dwl-2600ap

References (5)

https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10113

PatchVendor Advisory

https://www.exploit-db.com/exploits/46841

ExploitThird Party AdvisoryVDB Entry

https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10113

PatchVendor Advisory

https://www.exploit-db.com/exploits/46841

ExploitThird Party AdvisoryVDB Entry

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-20500

KEV Catalog EPSS Scores Vendors All CVEs